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The examines pr< isionalf} rejected < hums 8 1 3 and ! ? 22 on she ground of non 
Wi r nw\ oas v \ do ir w u,t m ce As „ ! .umIjh cwt - h -e' co- 

ne ring App ' N " ( « 

hi the prior Office Action, the examiner furnished the following claim chart: 



Instant claim 8 and base claim ! are reproduced below: 

1. (Previously Presented) A sysiem, comprising: 
t x i ir it> lector d ha posed t< c< bee 

connection information to identify host connection pairs from 
packets that are .sent between nodes on a network; .and 



connection table that maps each node on the network to a record 
i if< n t is ab ! h ff'k to > from the node, 
8. {Original s The system of claim t wherein the connection 
ta sic sue udes i p asahA oi u\ >tds that aw meevwi I \ source 
address. 

Claim 5 and base claim 1 from 10/701,356 (A56) arc reproduced below: 

I. Awe-rent! y Amended! A device, comprising: 

a memory storing a connection table that maps each node of a 
! wt ! , Lam, IP h{ ( 
about traffic from the node. 

5 < n-( i lU \n en VJ Ih - d.\ w. o: c a n i whennn ex i 
w ww i he uwan unit map U pj i - records 
Uun ace indexed b\ source address, the phiralih A records 



ns :W ••<. 



dasms 8 sm<5 17 
eiaiais S3 and 18 
(Mass 10 and 1$ 
daijffls ij ami 20 
daiins 12 a«d 21 
claims 13 and 22 



t-iaui) ft 
claim 7 
cteiiii 8 
claim 9 
claim 10 
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including host-pair records that man network traffic between pairs 
of bests. 

In response the revioi at 01 \ppiicani ad i dicatedav, in mess oconside 
submission oi £ terminal dis Unmet Hcftcvei n view oi the a "r.u fCjvUu< »»»v :U Male 
the claims in '55b x\ n, , > i Applicant responds as follows: 

hot a 1 claim 8 <. t , e- m« - < f m, i pmmhiy o collcetois . . an j_. > A 
produces a connection table that includes records indexed by source address. Claim 5 of ; 356 in 
contrast cads lor a processor and a memory storing a connection tabic thai includes records 
i dv , u . s n f v v i k! aig te-, that 

As per claims 8 and 17 oft he histimi application, daitns S ami 17 have Ur- 
««iam«» limitation of "the eot»n«:i km sable includes a plurality of records that art 
indexed by source address milt claim S of 10/701.356. This, nnmmm timimim 
pcxfimas the same fuisetioa 

IS would have thees? obvious f« oss< forda i i She art at the time the 

inccnisoss to us: the irnkxinz method otduims K and 17 oi She instant application in 
the eamsecfioo table of claim 5 of 10701356. One <>$' ordinary skhl hi She art at the 
time the invention would have born motivated l<> snake itie comfmt.n.n*! i>« , .msi 
Kxarding t 0 the spedfkatsoas of tin t >uree address t« 

ect ( s t ful j(! d in u 

hi < a? Hd ! i V JHPOtt S S d wsth i . 'In « ( 

to detect DoS attacks, (.page 5, paragraph 100" I and paste o. paragraph MM' 

\p;d <. > ot tends ilu ne e.\ bec ms c „..u> S <« d 5 s san a ct< > i\> s ,i, . >> 
connection table" does not make this a proper obvious type double patenting rejection. Indeed, 
claim 8 of the instant case requires data collectors, which elements are not recited claims 1 or 5 
ot d t • < ^ u ^ u 

1A s v! s ^ o K lt , t(U t N p Cl u ii^j ' uk, sma.xsm bv source 

address and also relies on Mahm for that teaching. As will be discussed below, Maian does not 
teach indexing by source address. As for the use of the instant specification. Applicant believes 
thai only the claims of the instant case can be properly used by the examiner. The teachings of 
the instant specification arc not available to the examiner in m obvious type double patenting 
rejection. 

Mommeu n is p e d.da .oikxtors and not mdesnn: (hat r i^Ucu m m.mn A hnt wh -.h ^ 
missing in shun 5 ot "356. Applicant contends that there s rv esumstou of the mo<"ooA\ to 
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exciut c * i o It. y^ren > ^ -vie./, to the usnnn ' a v i o t a tot iw * v 

appiicati since lai is of instai case requires data coSk foi 

A similar analysis holds for claims 9 and 18 of the instant application with claim 6 of 
"356; claims 10 and .19 of the instant application with claim 7 of '356; claims .1 1 and 20 of the 
sstanl ipplicatio! with claim 8 of " c f claims 12 and 2 >f Ik nstan jpp < tior with claim 1 
of "356; and claims 13 and 22 of the instant application with claim 10 of '356, 

Therefore, Applicant contends that the rejection is improper and should be withdrawn. 



v _35_I S < << J03 

The examiner rejected Claims 1-5, .12-16, and 21-22 under 35 U.S.C. i 03(a) as being 
unpatentable over Malan et al. (U.S. PUB No. 20020032871) in view of Cidon ct al (U.S. Patent 
No. 6,269330); 



As per claim I , Maiau discloses a system, comprising: 

a pfaraffiv of collector devices thai are disposed so f.»lfcc.i packets that art: smS 
between nwtes «» a network (page 5, paragraph ;«06oji ami (Fi«. 4, elements 20. 
201)), 

anaiiw „n - n * f ,jph foo il.hms" H, and o>.^r k paragraphs 

['0032"), \mmi and [0034;; thai receive, a, ?v.:.ri, data from the ptnraiitv of eoOeefor 
i ! en nt 29, 20b). 

Mahm fails to explicitly disclose a connection tabic, 

Ciiiosi toadies; 

sending connection information to identify host emwedk.n pairs from eobeded 
i.eof H.iuws 64-67 tfertmgli eoi. IS. lines M0) 

producing a connection table (Pi« 3, element 554; thai maps each node of a 

t k ut or from !hs n«m 

KoL 14, Sines 64-67 ihnniih col, 15, hoes l-ift}. 

Si would have been obvious to otic of ordinary skill in the art at «t« time the 
ismmtiosi to use ibc method of network fault location of Chios; et afs its 
combination with the network anomaly detection system of Malan et al, to 

*! On d 5 ! ,i a< !%uuk anomalies. 

One of ordinary skill in the art at the time Site invention would have been 
> • 1 « ■ ' - - • ! s atii o txuatise fx iii nveoss ; iseios o> ii 
iih^kum Otwdai VrvK< Vit -iks in > tutweik Mat,m>! al ('M)wn ! -o.iMu 

os- OoS attacks 5 .! ,<>>*-< t- ' i.oi o» 

para rap t *H - < sdon i d d< , !«s< , a a ! d , ua. aba hi 

generate nehvark train tod a train, malyzer h. analyze the traffic stallstk t» 
locale artwork feuite {'Fig. 2). 



i s I s < v M u Li tl <K t ) ta .s. i p ) i 

Cul m since < k i r nb t) t on < i eferei , 1 1 itite de.sa k noi suggt si ! n > t w a p un c [ 
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collet > tk k iett connection information t< sdcuiii^ host coutumi n tails i >m 

pUlke n v f .IhHNO Hi OTk Hid 1 v < s k iu> > 

i v i i t < tb t v s > 1 v 5 1 1 h 

traffic to or from the node. 

The examiner admits that: "Malan fails to explicitly disclose a connection table." The 
examiner relics on Cidon, col. 14, lines 64 6? through col 15, lines 110 and Fig. > element 
154. 

ds that Cid 1 ei depn s a box 15 >c s oi e< on 

tabic." As for Cidon. col 14, lines 64-67 through col. 15, lines 1-KX those are reproduced 
below; 

> > s < s t >t , , j li«n table 154 wt» i 

> f I 1 1 j 1 ' i \ »! 

Morma&ro pertaiamg to the crarocctfon or stream. Preferably, each entry include* 
isdnrmatkui, suds a.-; the number of received packets. i« the .stream, s total dct»> oi' 

< 1 - u< -so ma .) u n (i >» 

(mmis-cr oS'IoO packets, etc. 

Prefers hi v, table 154 mditues entries unfy for connections or streams for which 
nmmmui i • , , s wfiler8Qnau>s|w.ilu.fit i juest J naiysis VitttratUvd.t 
or additionally, table 134 may record substantially ati of the received connect inns, 
and a hiiibpI < >m testing center 80 nt fmts imlwtr » id) commctmm to 
rejiurt. 

Hhh * hde Cidon e^ch^es something called "a connection t.th e " ( Mr'<- disclose,,] 
''connection table" does not meet the S imitations of claim .1. That is, claim. I requires '"an 

teats < 3 % s ! v i nil ti it ■> ;!f c ( v vv •> 

which produces a connection table that, maps each node on the network to a record that stores 
information about packet traffic to or from the node." I he u>noccik.u i«»Me v u 1 h\ Cidon 
doc, u,d it as ( • t uv.ka. , 

Cidon T table 154 does not describe: -*a connection table that maps each node on the 
b Us fkto Oc ' v ' o in o si baa n >i pass I iilO [ t >ii ' at »0 

' v a v eferably identi led by vh nee number o rc > 

tsMUvcdoti » .) vJ» v tit \h,\ ati .is .u jddtoo i h o miend ( > t tmv v e~ 
fsO no ideieds i ni . u > d s CL tntiks tstnf o? v oi t > c t c, v,il* net 

Cidon, o.,: !>, mvs -0-12. 
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transmittal time of the packets, the identity of the transmitting host, the route or a part thereof 
d rough aIuv :> fta packet , ere pe\-ed, me omtents ot the piu 1- ot\, ei ar.\ ->ih ■ suitable 
variables; 1 " This explanation of Cidon's connection table clearly shows that there is not any 
\.d ode in a network, 
•■ N » < ape? t;\s M cub - e pi u . u e>* ee <do\A , \l\ art 

dispx c» ot kits mk j «. i Uh on packets h sent betwaei i eson; setw ik 
fpage 5, paragraph [0066 i.) and (1 ig 4, elements 20, 20b)/' Claim ! howeve; also calk tor: 
'collector devices , to collect con.neet.ioi formation to identif\ lost m$ f n pairs 
f i n » at) k \ u t , sp n m Maian at [t»v^ . Rnhv ti 4 ) \j s v »u op !t < 
data packet flow statistical information to detect, data, packet flow anomalies. 

Applicant contends that one of ordinary skill in the art would not be motivated to make 
h< irpo • ma canse while Malan discloses blocking Denial of Service Attacks, 
Ckkm in contrast is directed to "testing and fault discovery in communication networks:' 3 not to 
blocking of: attacks and in particular DOS attacks. Aeeon ing to ( idon 'Preft n >l 

eutsfurthv ch.u e orrnon Ok u ?;ers, which receive data packets gnals on 
the network and measure and determine the nature, timing and contents. of the data according to 
commands from the testing center.'" 

Fhus. the thrust of Cid % to. , s are to fai t ieter < im ks not to 
blocking of attacks rhcrefore, the- examiner's motivation to cot vine these t e must fail 
I iwtK juutc it* i uHcms and the examiner has no howrn y ev« he 

Ifn s UtbL »\ niv.s toned in Cidoj vouk >e t van ih sj lem 

disclosed by Maian. 

Accordingly . no umsbukaion ot Ma' an with (\d<m de-vubes ot nusjjoI- Applicant's 
claim I, 
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Claim 2 

Claim 2 is distinguished over the combination of Malan and Cition, at least for the reason 

I dej nds t ! I, in a< cm, claim 2 requires i he; greg c tennises a 
least n part Iron corsneotio ns derived from tht connectior sbl \ rrenc s of network 
events that indicate potent sal network intrusions. This feature is not taught by the combination. 

The examiner contends that: "Cidon teaches at least in part from the connection, patterns 
derived from the connection table (col. 14, lines 64-67 through col. 15, lines 1-10) and (Fig. 5, 
evaluate performance of network}." The examiner now acknowledges that Malan does not teach 
the connection table. Ctdon while teaching an item that he refers to as a "connection table," does 
io tea*'! ulc c n. t k o*. «s that mdto.ne p i ^ i i d as least n 

>art rom connect ios ? tt eras derived fr s h< connection table The combina m >f Malat 
with Cidon would lead one of ordinary skill in the art to derive occurrences of network events 
from the statistical data collected by the collectors, since neither Malan nor Cidon teaches one of 
ordinary skill how to derive occurrences; of network events based at least in part on connection 
patterns. Accordingly, claim 2 serves to further distinguish over Malan and Cidon. 

<• (i Oil 

M>pl < !i - is amended claim 3 to claim that; e as < tier fu her comprises a 

process that collect statistical information on packets that are sent between nodes on a network 
<. iv v. s Witooeii n n t i > 

* id hat \spe claim 5, Mai i uorftmh 

comprises: a process that collect statistical, information on packets that are sent between nodes on 

I I \ok w i s u iniii ilmoi i'u i ( j, 
100751, lines 8-13 and page 7, paragraph |G086], lines 1-10}." 

I ' H >s , '! t ,h . t wa t.H b-U >-, dh\ s f a.es u»,\ on o' 

statistical information on packet Oows. Claim 3, however distinguishes over Malan and Cidon, 
( ' * comb h n with < wk n de^crihe> or suggests that ih t ». s 

both "the statistical information and the connection information,' as required by claim 3 
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( ,ar. 4 recites thai: "the aggregator device further comprises: . process to detect 
anomalies in connection patterns; and a process to aggregate detected anomalies into the network 
events/' 

The examiner contends that; 

As |X'i- daiifi 4, Maisa disdose.s the aggregator Uevke UfrUier comprises; 
3 process in aggregate deitOed anomalies into toe network events ;page 5, 
paragraph [007.1] ami page 3. paragraph (.0032}). 
Csdoa teadus: 

i'H <>!*< a niiim iii niiitu .u.j uii 14 bmvMt^ 

Oimigh col. 55, lines 1-10) and (Fig. 5, evaluate performance of network). 

i cations anoraa! pa > Ij and again at fO iiOgn 

combination of Malan with Cidon suggests: «.M aggregate detected anomalies into the network 
events," 

Claims 1 2 and 13 

Claim 12, which recites that ... the connection table includes a plurality of connection 
sub-tables to track data at different time scales and claim 13, which recites that ... wherein the 
connection sub-tables include a time-slice connection table thai operates on a small unit, of time 
and at least one other sub- table that operates on a larger unit of time . . . with each sub-table 
holding the sum of .records received . , . during icspeei \ e un ts v»t u ne ) , , 

ver Malan taken \ h Cidon, since n combination of these references sugg e coanct s 
table, per sc or a connection table arranged in sub- tables according to time scales. 

The examiner argues that; "As per claims 12 and \ Cidon discloses the connection table 
(Fig. 3, ctenvm - > uo a plurality of connection sub-tabb* tool. 5, Imes 23-24. nodal 
tables) to track data at different time scales ui 14. lines 64-67 through col. 15. lines 10} 

1 luvo , the :\x- v.ec at u>: * hue. ? < 2-; mom Jon , i;o\ mg cmvu-mp.g "mb lahk- to 
track data at different time scales" and the passage at col, 14, fines 64-67 through col, 15, lines 1- 
v s e ha < id on can * ex m eun s tac c u > silent os t\ 
2 urn ] ibies to rack dt a at different time scales 
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1 1 t t ich recite ub hies tneiud e-slice coime ,p „ >p« es 
on a small unit of lime and at least one other sisb-iable thai operates on a larger unit of time „s 

! i >. t mms p L p m claim 12, n a uJ f iAM«o,Miot o>i. 

» N iVsa , hi v.us ■ i t ih„ v ,,\ «. J c^esud'Cva 

time-slice connection tabic thai operates on a small unit of time and at least one other sub-table 

thai operates on a larger unit of time than the time slice sub-table 

Claim 5 is allowable at least for the reasons given in claim L claims 14-16 are allowable 
for analogous reasons given in claims L 3 and 4. Chums 21-22 are allowable for analogous 
reasons given in claim 12 and 13. 



The examiner rejected Claims 6 and 7 undei 15 IJ.S C "Mi as x < ^ . enUhk* o\ei 
Maian ei ah (U.S. PUB No, 200201)32871) m view of Cicion et al. (U.S. Patent No. 6,269,330) 
and further view of Mill et al, (U.& Patent No. 6,088,804). 

Claims 6 and 7 are allowable over the combination of references at least for the reasons 
d. scussed in e turn 4 and 1 and because Hill does not cure the deficiencies of Malari and Cidon. 

The examiner rejeeted Claims S-H and 17-20 under 35 U.S.C 103(a) as being 
unpatentable over Malan el ah (U.S. PUB No. 20020032871) in view of Cidon et at (U.S. Patent 
No. 6,269,330) and further view of Chi et a! (U.S. Patent No. 5 : 940,870). 



The v*axoto»r stated; 

As per claims S and .17, Chion discloses the cnuan-tiim table {Fig, 3, element 
fS4; Vlalaa us «} < idon faffs to explicitlj discio t indcxii^b} atldra s 
Chi teaches: 

includes is piuraidv of records, that are indexed by sourer address teol 5, Baes 

It would have been obvious to one «f ordinary skill in the art at the time the 
invention to "t'-t it t i f w »k m< nut d ! t ( ,> hi! i \fi mh! u 
eOHibittatinn wish Sfn< ti.msUtin„ address method of i m ■ i ai'- So . Ik v^U 
addiev, mapping tables of a mnili-eomputer cluster. 

One of ordiearv skill in the <>rt a! the time She invention would have beets 
< the com) matt m , « h <>i > s i< t n . i i » nsell 
hhx:k)«i> seasrhv attacks in a network. Malan et ai. discloses a database for 
f«« ii»g sot«-< > U nat no , id i * i ntitertehvn ■< nagt >-< r u ipi 

f i >i iKdiM nsipone t dde tint >S * v j , < i Si 
information of tl»< network nodes fig. 8). N tworl statissi nfi (nation is wsssl to 
itlcieati) ittenlt i > < . s<- s des <>j the netvn.rf, (Chi, e«f, 3, lines 

33-37) ami (Malao, page 5, fiaragraph JdtKi? |, lines 10-14). 
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Appkc; ns i.onterdN lhat claims S 1 ! and 17-20 al'ou J*Jo -'ner UK" ,onoma.tton of 
references. 

I dug claim 8 as an example, claim 8 requires thai: "...the connection tabic include ; a 
plurality of records that are indexed by source addre « " 1 he exan dies ac knew M dges that Malar) 

dee n ^ n it s ii i , i i ( j ^ k! b i t -pe-. i cat <. 

citing to Col. 5, lines 29-43 thai passage, Chi discusses an a s « mm ap tal m 
specifically an AMT index and offset as an address formation into the table. While, Chi 
mentions the word "index" Chi does not describe any indexing of a connection table according to 
.idio-s affnee , I r 1 v> k- Au\ u isl io ; \ > s \ kv , , ..sum 

u ! lu s >> , iuc- compute" Astern No eonJuuatior of M J u » utt»H sdu < i< 

< m s in. In o 1 i i > i v >n s*x 

addresses, 

Appliea contends that s iprope; applicattos >d 
v roat rap n had pick del oo t aci ings various references. In addition, the motivation 
pi u"ao ^'Sanrn'OL i an j!h.* Chi ctal. discloses a ira p , < c r-e> the somoe 
and destination information of the network nodes (big. 8). Network statistical information is used 
o efficiently lc? 1 th< o c d destination nodes of the network (Chi, col. 3, lines 33-3?) 
and ffvlalars, page 5, paragraph 10067], lines 10- 14}." is inadequate, 

Itfsnmv g ht onbmc Chi withMaian and CiUon. since Chi do sot teach ih 
Nefwot stat t 1 ^formation is *ed to efficient'!} dei f y the so cx s 1 es do nodes 
of the network," as die examiner contends, whether at eol 3, lines 33-37 or elsewhere. Rather, at. 
that passage, (mi teaches that ource node an ad t s u M.T index o 

an offset. Moreover, this motivation is not directed to the claimed invention, which is to provide 
a connection table indexed by source address to retrieve a record that stores information about 
traffic to or from the node, 

t Malan also does s teach th Net* k s sticai info i s used to 

t ft dent j tie it f> t u source and do mttto i nodes o tm. vetwmk a, page ~ \a .j 1 l \ ' 
lines !U as the examiner contends. 
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\ecotd tgK the mol,s o;s o JJ kkX; ! f ti ' , J 1 ) 01 

references do not suggest, the ci aimed features. 

Similar argument ap M> u chums 9-1 1 and 17-20. 



The examiner rejected Claims 23 and 24 under 35 U.S.C. 102(e) as being anticipated by 
BelisseM (U.S. Patent No. 6.789,203). 
The examiner stated: 



Is wv a nt t list ! > t s method of iWeettRg a new boss 

eoson-eihig so ;t network comprises: 

recming statistics collected from a host in ««; network (Fig. di and indicating 
io a console that the Ik>s$ is. a new h(js! ii. during a period of f.hnc. T, (he host 
Iransndts at least N packets and receives at least N packets, md if the host had 
never transmitted and received more than N packets in any previous period of time 
with a duration of T (col 4. lines 9~2i) and col. 5. lines 62-6? through col. 6, Ones j- 
17). tsehsseisf discloses a .system for monitoring connection request rates over a 
period of time and a rejection threshold. 



Belissent neither describes nor suggests . . . receiving statistics collected from, a host in the 
network and indicating . . . that the host is a new host if, during a period of time T, the host 

N N ts and receives at le si N packets m< if th tost m lever transmitted 
and received more than N packets in any previous period of time with a duration oi'T. 

Belissent teaches at (col. 4, lines 9-20) throttling the pro.vwng ,? ^ v < s< r, on- to 
\ \ ' > k ml d u !c tn ,v\ to li.itk Mip'm ! ns t t \o <t s o 

these mjM.ns imd the icasou; x>' iccotd, as pemmum V Sc -c t me t hex ion able 

I he ex a umet st in d 



\s per claim 2-f • < IS > t, t let* to f t led host in 

a network comprises: 

it ri iimnug if both a mean historical rate of server response packets from a 
h«si is greater than M, and a ratio ol a standard deviafioo of historical rate of 
server response packets from I he hosf to a mean profiled rate of server response 
packets from the host is less than R m er a period of font; and indicating She host as 
a potential foiled host if both conditions are present {col. 4, tines ')-.2i! and col. 5, 
lines 62-0" through col. 6, lines J. 17). 



Belissent whether at , 4. lines 9-20; col, r. Ones 62-0/ tbrotigii col o kites 117 tar 
isev u t describes no iggesis determining if both a mean historical rate of 



iinv am P ett 
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SCt\Cl CN V Ov 1 J host is create* U M < it > ! 1 i * v 1 < 0 

historical rale of server response packets front the host to a mean profiled rate of server response 
pad els ft an the to -i is less than R and indicating She host a a potential tailed to o it both 
conditions are present. 

\ co -f i s t s v. n ! t e i a v vi > v v v i 

attacks, whereas at col. 5, lines 62-67 through col. 6, lines 1-17 BeUsserU discusses connection 
request rate throttling. Nowhere does Belissent teach the features of claim 24, e.g., to detect a 
faded host, and in particular determining the two conditions of claim 24 to indicate a potential 
failed host i oil \ itios arc 1 . eni 

On set s diet h seen as neither descj d> ^t t i ^ > App u\ 

invention whether taken alone or in combination with the applied art. 

No fee is believed due. tf a fee is due. please apply that fee and any other charges or 
u! s de ceo 1 



Respectfully submitted. 
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